CN104715191B - A kind of method and system of the startup detection and protection of embedded main program - Google Patents
A kind of method and system of the startup detection and protection of embedded main program Download PDFInfo
- Publication number
- CN104715191B CN104715191B CN201510136632.5A CN201510136632A CN104715191B CN 104715191 B CN104715191 B CN 104715191B CN 201510136632 A CN201510136632 A CN 201510136632A CN 104715191 B CN104715191 B CN 104715191B
- Authority
- CN
- China
- Prior art keywords
- program
- startup
- embedded
- detected
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses the method and system of the startup detection and protection of a kind of embedded main program; this method and system are monitored to the program run in embedded system; if desired when the program of safety startup of system is not actuated or program that started is not required to the program of safety startup of system, system can be closed and alarmed;Can also MD5 information inspections be carried out to the program file of startup, if program is by malicious modification or replacement, the MD5 values of program of the MD5 values of the program file for the process detected that calculating is obtained with needing safety startup of system defined in registration table can not matched that, now close system concurrency and go out alarm signal, and then malicious modification or the replacement of program can be prevented.The monitoring and protection to embedded main program can be achieved in the present invention; the program that safety startup of system can be avoided the need for does not start normally; also it can avoid being not belonging to need the program of safety startup of system to be activated, can also prevent malicious modification or the replacement of program, it is ensured that the safety of embedded system.
Description
Technical field
The invention mainly relates to embedded system technology field, refer in particular to the startup detection of embedded main program a kind of with
The method and system of protection.
Background technology
With the development of hardware processor technology, embedded device and system have all obtains pole in performance and application
Big development, by embedded system can be connected to external communication device by fixed cable and mobile network, and then can realize pair
The remote control of embedded system, is more convenient and intelligence, but embedded system control program is easily replaced by malice and changed, system
Security performance cannot ensure, can more particularly to cause the program of device of personal safety as well as the property safety will to the security performance of system
Ask higher, if the unmanned plane embedded system control program for example based on linux is caused insertion by the intrusion of external signal
Formula main program is modified or even replaced, and can trigger unmanned plane security incident, consequence is serious.
The content of the invention
To overcome the above-mentioned defect having in the prior art, it is an object of the invention to provide a kind of embedded main program
Start the method for detection and protection, this method can realize the monitoring to embedded main program and protection, it is to avoid embedded system journey
Sequence is maliciously replaced or changed, it is ensured that the safety of embedded system.
To reach above-mentioned purpose, the technical solution adopted in the present invention is:
Startup detection and the method for protection of a kind of embedded main program, the described method comprises the following steps:
A, traversal access all operating processes in embedded system;
B, judge detected process name whether with the text for the program that safety startup of system is needed defined in registration table
Part name matches, if so, into step C, if it is not, into step F;
C, judge that needing the filename of the program of safety startup of system whether to be all contained in defined in registration table detects
In the name of the process arrived, if so, into step D, if it is not, into step F;
D, the program file path for obtaining detected process, and read from the program file path of the process detected
The program file of the process detected, calculates the MD5 (Message-Digest of the program file of detected process
Algorithm 5, Message Digest Algorithm 5) value;
E, judgement are calculated needs system to pacify defined in the MD5 values and registration table of the program file of the obtained process detected
Whether the MD5 values of the program started entirely match, if so, into step G, if it is not, into step F;
F, close embedded system and send alarm signal;
G, the process of maintenance embedded system are normally run.
From the foregoing, this method can be monitored to the program run in embedded system, if desired system is opened safely
When dynamic program is not actuated or program that started is not required to the program of safety startup of system, system can be closed and alarmed;
In addition, also MD5 information inspections can be carried out to the program file of startup, if program calculates what is obtained by malicious modification or replacement
The MD5 values of program of the MD5 values of the program file of the process detected with needing safety startup of system defined in registration table can not
Match, now close system concurrency and go out alarm signal, and then malicious modification or the replacement of program can be prevented.Thus, can be real
Now to the monitoring and protection of embedded main program, it is ensured that the safety of embedded system.
This method also includes:Storage location information to the registration table is encrypted, the bit of storage confidence of the registration table
The key of breath is merely stored in kernel.The interior verification registration table of key of thus only allowing to be stored with is modified so that embedded
The security performance of formula system is higher.
A kind of system of the startup detection and protection of embedded main program, the system includes:
Detection unit, all operating processes in embedded system are accessed for traveling through;
Registry hive, for store the program that safety startup of system is needed defined in the embedded system filename and
MD5 values;
Judging unit, for judging the name of detected process whether with needing system safety defined in registry hive
The filename of the program of startup matches, need defined in registry hive safety startup of system program filename whether by
It is all contained in the name of detected process, calculates MD5 values and the registration of the program file of the obtained process detected
Need whether the MD5 values of the program of safety startup of system match defined in table unit;
Control unit, for control close embedded system, send alarm signal, maintain embedded system in process just
Often operation.
The program run in embedded system can be monitored using the system, detection unit traversal accesses embedded system
All operating processes in system, judging unit judges that the name of process detected is to need system in registry hive
The filename of the program of clean boot, if it is not, control unit control closes embedded system and sends alarm signal, if so,
Judging unit determines whether to need whether the filename of the program of safety startup of system is included defined in registry hive
In the name of detected process, if it is not, control unit control closes embedded system and sends alarm signal, if
It is that judging unit determines whether to calculate the MD5 values of the program file for the process that obtained detection unit is detected and registration table
Need whether the MD5 values of the program of safety startup of system match defined in unit, if so, control unit control maintains embedded system
The process of system is normally run, if it is not, control unit control closes embedded system and sends alarm signal.Thus, achievable pair
The monitoring and protection of embedded main program, prevent malicious modification or the replacement of program, it is ensured that the safety of embedded system.
The system also includes specifying kernel unit, the key of the storage location information for storing registry hive.Only
Allow to specify kernel unit to modify registration table, it is ensured that the security performance of embedded system.
Compared with conventional art, what the present invention was brought has the beneficial effect that:
The monitoring and protection to embedded main program can be achieved, the program that can avoid the need for safety startup of system is not opened normally
It is dynamic, it can also avoid being not belonging to need the program of safety startup of system to be activated, can also prevent malicious modification or the replacement of program,
Ensure the safety of embedded system.
Brief description of the drawings
Fig. 1 is the flow chart of the inventive method;
Fig. 2 is the subregion schematic block diagram of embedded system in the embodiment of the present invention;
Fig. 3 is launching process monitoring registration table schematic block diagram in the embodiment of the present invention;
Fig. 4 is the flow chart that the embodiment of the present invention applies this method in systems.
Embodiment
As shown in figure 1, a kind of method of the startup detection and protection of embedded main program, methods described includes following step
Suddenly:
A, traversal access all operating processes in embedded system;
B, judge detected process name whether with the text for the program that safety startup of system is needed defined in registration table
Part name matches, if so, into step C, if it is not, into step F;
C, judge that needing the filename of the program of safety startup of system whether to be all contained in defined in registration table detects
In the name of the process arrived, if so, into step D, if it is not, into step F;
D, the program file path for obtaining detected process, and read from the program file path of the process detected
The program file of the process detected, calculates the MD5 (Message-Digest of the program file of detected process
Algorithm 5, Message Digest Algorithm 5) value;
E, judgement are calculated needs system to pacify defined in the MD5 values and registration table of the program file of the obtained process detected
Whether the MD5 values of the program started entirely match, if so, into step G, if it is not, into step F;
F, close embedded system and send alarm signal;
G, the process of maintenance embedded system are normally run.
From the foregoing, this method can be monitored to the program run in embedded system, if desired system is opened safely
When dynamic program is not actuated or program that started is not required to the program of safety startup of system, system can be closed and alarmed;
In addition, also MD5 information inspections can be carried out to the program file of startup, if program calculates what is obtained by malicious modification or replacement
The MD5 values of program of the MD5 values of the program file of the process detected with needing safety startup of system defined in registration table can not
Match, now close embedded system and send alarm signal, and then malicious modification or the replacement of program can be prevented.Cause
And, the monitoring and protection to embedded main program can be achieved, it is ensured that the safety of embedded system.
This method also includes, and the storage location information to registration table is encrypted, the storage location information of the registration table
Key is merely stored in kernel.The interior verification registration table of key of thus only allowing to be stored with is modified so that embedded system
The security performance of system is higher.
In one embodiment of the invention, in embedded systems, this method is embodied in kernel kernels
Kernel start (rest_init) stage create a main program examine thread, Fig. 2 be embedded system subregion schematic block
Figure, Fig. 3 is that launching process monitors registration table (being the registration table in the above method) schematic block diagram, launching process monitoring registration table
It is stored in the boot enviroment child partitions in bootloader, main program examines thread to be used to monitor boot
Need whether the program of safety startup of system is normally started defined in launching process monitoring registration table in environment,
Or whether the program started is to need the program of safety startup of system defined in launching process monitoring registration table.Implement
Process is as shown in figure 4, after system electrification, bootstrap (uboot) is read in environment quantization boot environment
All startup items are indicated with the presence or absence of abnormal in data, monitoring launching process monitoring registration table, if it is not, starting read-only minimum core
(readonly mini kernel), and then start read-only minimum file system (readonly mini roots), if existing different
Often sign, main program is created in kernel kernels and examines thread, the system background process that main program examines thread to be monitored is
No exception, if it is not, starting read-only minimum file system (readonly mini roots), if main program examines thread to be monitored
System background process exception, then real-time servicing launching process monitoring registration table will abnormal write-in environmental variance subregion boot
In launching process monitoring registration table in environment, subsequently into restarting system (emergency_restart).
A kind of system of the startup detection and protection of embedded main program, the system includes:
Detection unit, all operating processes in embedded system are accessed for traveling through;
Registry hive, for store the program that safety startup of system is needed defined in the embedded system filename and
MD5 values;
Judging unit, for judging the name of detected process whether with needing system safety defined in registry hive
The filename of the program of startup matches, need defined in registry hive safety startup of system program filename whether by
It is all contained in the name of detected process, calculates MD5 values and the registration of the program file of the obtained process detected
Need whether the MD5 values of the program of safety startup of system match defined in table unit;
Control unit, for control close embedded system, send alarm signal, maintain embedded system in process just
Often operation.
The program run in embedded system can be monitored using the system, detection unit traversal accesses embedded system
All operating processes in system, judging unit judges that the name of process detected is to need system in registry hive
The filename of the program of clean boot, if it is not, control unit control closes embedded system and sends alarm signal, if so,
Judging unit determines whether to need whether the filename of the program of safety startup of system is included defined in registry hive
In the name of detected process, if it is not, control unit control closes embedded system and sends alarm signal, if
It is that judging unit determines whether to calculate the MD5 values of the program file for the process that obtained detection unit is detected and registration table
Need whether the MD5 values of the program of safety startup of system match defined in unit, if so, control unit control maintains embedded system
The process of system is normally run, if it is not, control unit control closes embedded system and sends alarm signal.Thus, achievable pair
The monitoring and protection of embedded main program, prevent malicious modification or the replacement of program, it is ensured that the safety of embedded system.
The system also includes specifying kernel unit, the key of the storage location information for storing registry hive.Only
Allow to specify kernel unit to modify registration table, it is ensured that the security performance of embedded system.
Above-listed detailed description is illustrating for one of present invention possible embodiments, and the embodiment is simultaneously not used to limitation
The scope of the claims of the present invention, all equivalence enforcements or change without departing from carried out by the present invention are intended to be limited solely by the scope of the claims of this case
In.
Claims (3)
1. a kind of method of the startup detection and protection of embedded main program, it is characterised in that:It the described method comprises the following steps:
A, traversal access all operating processes in embedded system;
B, judge detected process name whether with the filename for the program that safety startup of system is needed defined in registration table
Match, if so, into step C, if it is not, into step F;
C, judge to need defined in registration table the program of safety startup of system filename whether be all contained in it is detected
In the name of process, if so, into step D, if it is not, into step F;
D, the program file path for obtaining detected process, and read and examined from the program file path of the process detected
The program file of the process of survey, calculates the MD5 values of the program file of detected process;
E, judgement are calculated needs system to open safely defined in the MD5 values and registration table of the program file of the obtained process detected
Whether the MD5 values of dynamic program match, if so, into step G, if it is not, into step F;
F, close embedded system and send alarm signal;
G, the process of maintenance embedded system are normally run;
Storage location information to the registration table is encrypted, in the key of the storage location information of the registration table is merely stored in
In core.
2. the system of the startup detection and protection of a kind of embedded main program, it is characterised in that:The system includes:
Detection unit, all operating processes in embedded system are accessed for traveling through;
Registry hive, filename and MD5 for storing the program that safety startup of system is needed defined in the embedded system
Value;
Judging unit, for judging the name of detected process whether with needing safety startup of system defined in registry hive
The filename of program match, need whether the filename of program of safety startup of system is wrapped defined in registry hive
It is contained in the name of detected process, calculates the MD5 values and enrollment form of the program file of the obtained process detected
Need whether the MD5 values of the program of safety startup of system match defined in member;
Control unit, is normally transported for controlling closing embedded system, sending the process in alarm signal, maintenance embedded system
OK.
3. the system of the startup detection and protection of a kind of embedded main program according to claim 2, it is characterised in that:Also
Including specifying kernel unit, the key of the storage location information for storing registry hive.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510136632.5A CN104715191B (en) | 2015-03-26 | 2015-03-26 | A kind of method and system of the startup detection and protection of embedded main program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510136632.5A CN104715191B (en) | 2015-03-26 | 2015-03-26 | A kind of method and system of the startup detection and protection of embedded main program |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104715191A CN104715191A (en) | 2015-06-17 |
CN104715191B true CN104715191B (en) | 2017-09-29 |
Family
ID=53414511
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510136632.5A Active CN104715191B (en) | 2015-03-26 | 2015-03-26 | A kind of method and system of the startup detection and protection of embedded main program |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104715191B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109858276B (en) * | 2018-12-28 | 2022-03-04 | 航天信息股份有限公司 | Method and system for performing multistage locking on embedded equipment |
CN109918907B (en) * | 2019-01-30 | 2021-05-25 | 国家计算机网络与信息安全管理中心 | Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform |
CN111309408A (en) * | 2020-02-24 | 2020-06-19 | 深圳震有科技股份有限公司 | Program embedding method, system and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101499114A (en) * | 2008-02-03 | 2009-08-05 | 汪家祥 | Computer protection method for creating user program operation permission and security check mechanism |
CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
CN102262573A (en) * | 2011-06-20 | 2011-11-30 | 奇智软件(北京)有限公司 | Operating system (OS) start-up protecting method and device |
CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
CN103019778A (en) * | 2012-11-30 | 2013-04-03 | 北京奇虎科技有限公司 | Startups cleaning method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007135672A2 (en) * | 2006-05-24 | 2007-11-29 | Safend Ltd. | Method and system for defending security application in a user's computer |
-
2015
- 2015-03-26 CN CN201510136632.5A patent/CN104715191B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101499114A (en) * | 2008-02-03 | 2009-08-05 | 汪家祥 | Computer protection method for creating user program operation permission and security check mechanism |
CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
CN102262573A (en) * | 2011-06-20 | 2011-11-30 | 奇智软件(北京)有限公司 | Operating system (OS) start-up protecting method and device |
CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
CN103019778A (en) * | 2012-11-30 | 2013-04-03 | 北京奇虎科技有限公司 | Startups cleaning method and device |
Also Published As
Publication number | Publication date |
---|---|
CN104715191A (en) | 2015-06-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3834401B1 (en) | Industrial system event detection and corresponding response | |
US11995182B2 (en) | Baseboard management controller to perform security action based on digital signature comparison in response to trigger | |
US11120127B2 (en) | Reconstruction-based anomaly detection | |
CN109164780B (en) | Industrial field device control method, device and system based on edge calculation | |
US11689544B2 (en) | Intrusion detection via semantic fuzzing and message provenance | |
CN103748853B (en) | For the method and system that the protocol message in data communication network is classified | |
US9438613B1 (en) | Dynamic content activation for automated analysis of embedded objects | |
US20150381645A1 (en) | Method, Device And System For Intercepting Web Address | |
US11128655B2 (en) | Method and system for managing security vulnerability in host system using artificial neural network | |
CN104715191B (en) | A kind of method and system of the startup detection and protection of embedded main program | |
US10930100B2 (en) | Detecting unauthorized physical access via wireless electronic device identifiers | |
US11546295B2 (en) | Industrial control system firewall module | |
JP2018519604A5 (en) | ||
CN109862003A (en) | Local generation method, device, system and the storage medium for threatening information bank | |
US20200389474A1 (en) | System and method for connected vehicle security incident integration based on aggregate events | |
EP3928234A1 (en) | User behavorial analytics for security anomaly detection in industrial control systems | |
US12063236B2 (en) | Information processing apparatus, log analysis method and program | |
WO2017117964A1 (en) | Alarm monitoring method and apparatus | |
CN113282928A (en) | Malicious file processing method, device and system, electronic device and storage medium | |
CN110826058A (en) | Malware detection based on user interaction | |
CN111317950A (en) | Fire control cabinet, fire control system and mobile communication terminal | |
CN110298179B (en) | Open source framework security vulnerability detection method and device | |
US11443036B2 (en) | Facial recognition based security by a management controller | |
KR20190075558A (en) | Terminal apparatus and controlling method of the terminal apparatus | |
Allison et al. | PLC-based cyber-attack detection: A last line of defence |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |